It seems needed to introduce two variables for upcoming early data tests,
see #1186. This is not needed for OpenSSL as it introduced that
together with TLS 1.3. For LibreSSL it is though.
* keys now always with v, like supportedciphers_TLSv1_2 and also
ciphers (e.g. TLSv1.2 x35 AES256-SHA)
* add word "server" to file output so that it reads "NOT a server cipher order configured"
Fixes#2884
This commit fixes#2896. This commit avoids modifying the ADDTL_CA_FILES environment variable, and instead substitutes spaces for commas whenever the variable is used.
As suggested in https://github.com/testssl/testssl.sh/pull/2885 parsing
of the server determined HTTP age var wasn't strict enough.
https://www.rfc-editor.org/rfc/rfc7234#section-1.2.1 requires the
variable to be a non-negative integer but testssl.sh assumed it was
like that but did't check whether that really was the case. This was
labled as a (potential) security problem. Potential as it didn't
look exploitable after review -- the header as a whole was already
sanitized.
This PR fixes the typs confusion and the garbled screen by checking
the variable early in run_http_header() and reset it to NaN. That
will be used later in run_http_date() to raise a low severity finding.
Kudos to @Tristanhx for catching this and for the suggested PR.
Also, only when running in debug mode, this PR fixes that during
service_detection() parts of the not-yet-sanitized header ended
up on the screen. The fix just calls sanitze_http_header() for the
temporary variable $TMPFILE.
... which leads to a performance gain., most noteably on Macs.
All times when calling were re-adjusted.
Also:
* PROXY_WAIT was decrease to 10 seconds. 20 seemed just too much
* passed var to `starttls_just_read()` was simplyfied
The site from that billioniare who made nazi gestures delivers a UDP
response without proper TLS handshake. This led to a false positive
as if the site supports QUIC via h3.
This PR makes the detection of QUIC more robust by adding a certificate check
and also take better the return values from `wait_kill()` into account.
It also introduces a function to remove any non printable chars (depending
on the LC_ALL var): `filter_printable()`
Also `sanitze_http_header()` doesn't operate anymore on a global variable
which is kind of not best practise as it is easily to avoid here.
Seems the patch in #2856 wasn't complete. So that it was forgotten to add also manually specified IPv6 addresses to the IP addresses to show and to scan.
This makes sure it does, so this fixes#2854 finally.
Also statements were added to reset do_ipv4_only and do_ipv6_only correctly so that later the output "Testing all IP** addresses" is correct.
* `code2network()` was improved to just use internal bash functions, except sed
* `socksend()` was renamed to `socksend_x()` to clarify that the string passed contains already a leading x
We might want to try using in `code2network()` only bash internal functions like in `socksend_x()`.
And maybe decide for onee format of hexbytes in the code -- with x or without.
Due to rebasing determine_ip_addresses() in #2852 it was
forgotten to add any manually specified IP address to
the IP addresses to show and to scan.
This fixes#2854 .
This labels the result of a failed test for reaching
port 80 when no direct connection is possible as likely not
vulnerable.
This seems safe to say, as there's another check whether
a proxy is configured, like for corporate environments where
a connection is only allowed though the proxy.
As `wait_kill()` returns with 0 when a TCP reset is encountered
and the process is not killed, we need to open the socket again
in a sub shell. Which is safe in the foreground.
If then the subshell returns with 0 we can safely connect to
port 80.
* IPv6 addresses which won't be scanned will be put in round brackets to feedback th UI
* logic bug fixed which always said "Testing all IPv4 addresses (port $PORT):". Simplyfied the MULTIPLE_CHECKS output
This PR will enable IPv6 fully if available.
It was not enabled before as users were confronted with an error message when
testssl.sh wanted (also) to scan IPv6 before but routing/configuration or
whatsoever issues prevented that. This has been solved by introducing the function
`shouldwedo_ipv6()` which checks whether we can reach the target via IPv6 --
tracked be the global IPv6_OK.
The change is in line with tools like wget or curl in a sense that if IPv6 works
it is just being used. Formally testssl.sh had to be instructed via -6 cmdline
option, like nmap.
* \-6 is now the switch to do IPv6 scans only
* \-4 is now the switch to do IPv4 scans only
The latter is a *breaking change*, as the cmdline option meant before to check
for RC4 ciphers.
Also HAS_IPv6, synonymous to -6 before, does not exist anymore.
As the command line option `--connect-timeout` seemed rather unspecific,
it has been replaced by `--socket-timeout, also all internal variables.
Todo:
* man pages
* dashed lines appear too long
This fixes#2847 .
It was falsely assumed that the http head command blocks when port 80 is not available but
actucally the exec for the socket is the culprit.
This PR changes that so that the exec is put in the background.
Another change is that $node is still used but the port is stripped of which
lead to the problem raised in #2847. We use $node instead of $NODE has we
can recycle the `http_head[er]_printf()` later.
`http_header_printf()`was renamed to `http_head_printf()` as there's also an `http_head()`
and an `http_get()`
This commit adds an improvement so that e.g. under MacOS
/opt/homebrew/bin/openssl is automatically taken as
$OPENSSL so that also QUIC works out of the box for MacOS.
Formally for at least MacOS with silicon CPUs OPENSSL was
equal to OPENSSL2 and LibreSSL in /usr/bin/openssl doesn't
have QUIC support (up to version 15.5 of MacoOS at least).
Fixes#2833
This does a check for the opossum vulnerability, see https://opossum-attack.com/ .
It uses a separate function to send the payload and retrieve the result via `http_header_printf()`. It doesn't use curl or wget. The latter wouldn't work anyway as according to the manpage as the HTTP header which needs to be sent must not contain LFs. This function was introduced because `http_get_header()` -- which was renamed to `http_head()` -- could use wget if curl is not available. On the way to this PR `http_head()` was improved, so that timeouts were used for curl and wget for better maturity.
`http_header_printf()` now uses bach sockets , strips the URI so that a plaintext request is made. This will be done in the background because not every host will answer.
Done also:
- handling when PROXY is requested (try anyway directly as the payload is not "proxyable")
- print a message when no HTTP service is present
- try hard to use plaintext HTTP when auth is required for HTTPS and service HTTP would not be defined otherwise
- manpages
- help
Also when pwnedkeys are checked a not pwned certificate is labled not neutral but OK=green.
Before:
```
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
QUIC not offered or timed out
NPN/SPDY not offered
ALPN/HTTP2 h2, http/1.1 (offered)
```
After:
```
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
QUIC not offered or timed out
NPN/SPDY not offered
ALPN/HTTP2 h2, http/1.1 (offered)
```
The logic was wrong when calling set_rating_state() in parse_cmd_line() as do_rating was set before to true through set_scanning_defaults().
This PR fixes#2825 by querying ${SKIP_TESTS[@]} instead and then calling set_rating_state() when no --disable-rating was supplied .
